HITRUST’s approach to evaluating a control’s implementation is based on a control maturity model outlined by the NIST Program Review of Information Security Management Assistance (PRISMA),93 which provides five levels of maturity roughly similar to the Carnegie Melon Software Engineering Institute’s (CM-SEI’s) Capability Maturity Model Integrated (CMMI) process improvement model.94
“The structure of a PRISMA Review is based upon the [CMMI], where an organization’s developmental advancement is measured by one of five maturity levels”95: (1) Policies (does the organization know what it needs to do?), (2) Procedures (does the organization know how to do it?), (3) Implementation (has the organization done it?), (4) Testing (does the organization ensure it is working properly?), and (5) Integration (are the activities in the first four levels well integrated?).96 Assessing the maturity of an organization’s information protection program by leveraging a comprehensive and consistently applied methodology, including assessing the status of its information security policies, procedures, and controls implementation, provides better assurance because it’s based on direct rather than circumstantial evidence and therefore is more indicative of the actual level of protection the organization provides sensitive information, making it a more legitimate method of measuring an organization’s information risk profile.
Like PRISMA, the HITRUST model’s first three levels provide rough equivalence with traditional compliance-based assessments. First, control requirements must be clearly understood at all levels of the organization through documented policies or standards that are communicated with all stakeholders. Second, procedures must be in place to support the actual implementation of required controls. These first two levels essentially address the concept of design effectiveness since policies and procedures must comport with each HITRUST CSF control requirement at a highly granular level. Third, the controls must be fully implemented and tested as required to ensure they operate as intended. HITRUST then modified the PRISMA model to specifically address the concept of ‘you can’t manage what you don’t measure’ in the fourth and fifth levels of the model, and it is these last three levels that support the evaluation of a control’s operational effectiveness.
The initial maturity level, Policy, considers the existence of current, documented information security policies or standards in the organization’s information security program and whether they fully address the control’s implementation specifications. Policy addresses what the organization is supposed to do. For example, if a requirement statement has multiple actions associated with it, does a corporate policy or standard address all its elements, either directly in the policy or indirectly by reference to an external standard? And does the policy apply to all organizational units and systems within scope of the assessment?
The second maturity level, Procedure, considers the existence of documented procedures or processes developed from the policies or standards and whether they reasonably apply to the organizational units and systems within scope of the assessment. Procedures help address how an organization does what it is supposed to do. For example, are there one or more written procedures that address the implementation of all the elements specified in a requirement statement?
The third maturity level, Implemented, considers the actual implementation of the policies and whether the control’s implementation specifications are applied to all the organizational units and systems within scope of the assessment. For example, are all elements of a requirement statement addressed by the implementation for all corporate shared services?
The fourth maturity level, Measured, considers the testing or measurement (metrics) of the specification’s implementation and whether they continue to remain effective. This idea of monitoring is not new, as the American Institute of Certified Public Accountants97 (AICPA) lists monitoring, i.e., the process of assessing performance over time, as one of five interrelated components of internal control. However, the concept of continuous monitoring, upon which this level is based, is relatively new.
NIST equates continuous monitoring with maintaining ongoing awareness to support organizational risk decisions. The terms ‘continuous’ and ‘ongoing’ in this context mean that security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect organization information. Thus, testing of the control to support an annual assessment or audit will likely not satisfy this requirement for many controls. Instead, an organization must periodically (and possibly aperiodically) measure and track this information more often, especially if such monitoring could easily be done more frequently. For example, an organization may use a management console to track antivirus software implementation status in near real-time and produce metrics of the percentage of end-user devices that have the latest software and signature updates.
The final maturity level, Managed, reviews the organization’s management of its control implementations based on these metrics. For example, if common or special variations are discovered through testing or measurement of a control’s effectiveness, can the organization demonstrate it has a management process for this metric and, when general or special variations occur, can it show it has performed a root cause analysis and taken corrective action based on the results?
Evidence suggests that the more mature an organization’s information protection program—specifically the information security controls that demonstrate proficiency of operation, management, and reporting—the more likely an organization will be to continue to operate those controls in a similar manner in the future. Further, it can also be shown that mature organizations are less likely to suffer a breach and, should a breach occur, the more likely these organizations will be able to contain it and minimize the impact. This is because controls that have been implemented at a high level of maturity are simply less likely to fail than controls that are implemented poorly. For example, Forrester Consulting has shown organizations that implement a CMM-based maturity model and have the highest level of maturity—even when limited to the area of identity and access management—incur roughly “half the number of breaches as the least mature … [and save] 40% in technology costs and an average of $5 million in breach costs.”98
93 See Bowen, P. and Kissel, R. (2007, Jan). Program Review for Information Security Management Assistance (PRISMA) (NISTIR 7358). Gaithersburg, MD: NIST.
94 For more information on CMMI, see ISACA (2022). What is CMMI?
95 Bowen, P. and Kissel, R. (2007, Jan), p. 2.
96 For more information on the PRISMA maturity levels, see NIST (2021, 5 Nov). Information Technology Laboratory: Computer Security Resource Center: Projects: Program Review for Information Assistance.
97 For more information, see AICPA (2022). About AICPA & CIMA.
98 Quoted from Centrify (2017). Stop the Breach: Reduce the Likelihood of an Attack through an IAM Maturity Model: A Forrester Consulting Thought Leadership Paper, p. 1.